Risks facing directors & officers

August 2016 | ROUNDTABLE | RISK MANAGEMENT

Financier Worldwide Magazine

August 2016 Issue

The risks faced by directors & officers (D&Os) on a daily basis are unforgiving and unrelenting. Indeed, the range of liabilities – which include being held accountable for bribery, corruption and fraud, competition and antitrust matters, environmental law, health and safety, tax, international sanctions, money laundering and financial reporting requirements, among others – is extensive. Yet awareness among corporate leaders about the extent of their culpability remains a key issue. Compounded by escalating regulatory scrutiny, the risks that D&Os encounter cannot and should not be underestimated.

Snow: How would you characterise the extent of risks and concerns generally being felt by D&Os? How has the threat landscape shifted in recent years?

Musoff: Risks and concerns arising from the securities litigation and regulatory landscape have not abated. The pace of securities litigation filings in 2016 is on track to result in the highest number of actions brought since 2004. There are numerous potential reasons for this trend, including the volatility of the markets inherent in this economic environment. Many plaintiffs’ firms, including some of the relatively smaller players, are now bringing more suits regardless of merit. In addition, as financial crisis litigation has declined, plaintiffs’ firms have devoted resources toward bringing more traditional ‘stock drop’ cases, especially in volatile industries such as in the life sciences field. In addition, the political landscape continues to pressure regulators to focus on holding individuals accountable. We should also expect the scrutiny and activity of activist investors to continue questioning and second guessing director and officer conduct.

Mebane: In recent years, D&Os have been under greater scrutiny given increased regulatory enforcement and a litigious environment that focuses on a company’s management team and D&Os’ ‘awareness’ of any potential misconduct and its actions to identify, treat and monitor the risks that may have contributed to the alleged misconduct. Furthermore, shareholders and investors have an expectation that D&Os will oversee an organisation responsibly. Consequently, they have increased obligations and responsibilities and must react appropriately to ‘red flags’ and address concerns and allegations that could arise in an organisation.

Flockhart: The combination of more stringent regulation, higher public expectation and a greater willingness to bring claims means that there is now a much greater emphasis on personal accountability of D&Os than ever before. Since the financial crisis in 2008, there has been a marked shift in public perception of the role of senior executives in particular. Corporate responsibility is no longer enough; people want to see that the individuals in control are held accountable for their actions.

Bentz: In the US, the recent Yates Memorandum suggests that the DoJ is placing a renewed focus on ensuring that D&Os will be held personally liable for corporate misconduct. The DoJ’s new policy is clear – prosecutors should seek to build the strongest possible case against individuals in corporate investigations. The Yates Memorandum could have a significant impact on whether companies receive cooperation credit in government investigations and represents a shift in how settlement negotiations will be conducted. Another area of increased exposure is in data privacy and security. The plaintiffs’ bar has brought several cases against D&Os who, they allege, have failed to take adequate measures to protect their customers’ personally identifiable information (PII). This exposure appears only to be growing as hackers become more and more sophisticated in their attempts to steal PII.

Melides: The risks and exposures felt by D&Os today continue to be heavily influenced by the developments in the economy, legislation and the regulatory landscape, as well as social trends and the prevalent business environment. In my opinion, there are two notable themes having a major impact on the current environment. Firstly, as global trade continues to expand, and alongside a rise in regulatory scrutiny around the world, the threat is truly international. Secondly, and more important, individual accountability and responsibility has come into focus. From a regulator’s perspective, a corporate settlement is no longer enough and wrongdoers have to pay their dues.

The risks and exposures felt by D&Os today continue to be heavily influenced by the developments in the economy, legislation and the regulatory landscape, as well as social trends and the prevalent business environment.

— George Melides

Snow: Could you outline the kinds of risks that D&Os generally face on a daily basis? In which scenarios are these risks most acute, such as shareholder backlashes against major strategic decisions?

Melides: The current economic and financial market environment has held the attention of board directors and executives today and will continue to do so in the foreseeable future. Failing to proactively identify and manage risks has multiple effects in a business, like missing corporate objectives, such as revenue and profits, deterioration of brand and reputation, loss of shareholder value and impact on employee morale. For example, in their effort to protect and grow the bottom line, D&Os focus on cutting costs. But more often than not, something is missed. So when an unpredictable and potentially harmful event happens, disruption to the business will go much further than expected. Then, the objective of profitability isn’t just missed but could turn to a financial loss. And before you know it, shareholders, regulators and government agencies are on your front step and ready to go after individuals.

Musoff: Directors and officers face the risk of second guessing on a daily basis, whether relating to corporate strategy or disclosure issues. The benefit of hindsight often colours a decision in ways that were not perceptible when the decision was actually made. That is why process is integral both to good decision-making and to protect directors and officers. And good process should be implemented before any problems or issues arise. It is easier to implement and also sets a standard and benchmark by which conduct could be measured.

Mebane: D&Os face a range of risks on a consistent basis. Such risks include, for example, activist-type shareholder behaviour that seeks greater transparency surrounding a company’s strategic decisions and direction, general public interest in the commercial success of an organisation, and a heightened focus on individual culpability by US regulators. These inputs are examples of vulnerabilities that impact the individual reputation, liability and exposure of D&Os. Given the enforcement and litigation trends that companies are responding to in the United States, individual liability resulting from them could be considered one of the more acute risks for D&Os. The implications can be longstanding and far reaching with exorbitant legal costs, significant monetary sanctions and personal reputational harm.

Flockhart: D&Os face risks from diverse sources. In the UK, legal duties and obligations are imposed on D&Os by way of legislation including the Companies Act 2006, the Financial Services and Markets Act 2000, the Insolvency Act 1986, the Data Protection Act 1998 and the Bribery Act 2010, to name a few. In addition, the new Senior Managers Regime (SMR), which came into force in March this year, now imposes a significant regulatory burden on D&Os. Failure to comply with these extensive duties could lead to reputational damage, heavy personal fines, disqualification and even criminal liability in the most serious cases. Shareholders are also increasingly willing to take an activist approach towards their investments which in some cases includes derivative lawsuits being brought against boards. Personal accountability is also on the agenda in emerging risk areas, for example cyber risk. In the US, we have recently seen several high-profile examples of shareholder derivative claims being brought against directors in relation to high profile data breaches.

Bentz: D&Os operate under closer scrutiny today than ever before – extreme volatility in the stock market, a sluggish economy and alleged corporate scandals have encouraged an active plaintiffs’ bar. This, combined with increased governmental regulation, increased focus on individual liability, activist shareholders and cyber claims, has put the actions of D&Os under a microscope. Faced with the very real and ever increasing risk of significant litigation judgments, defence costs and damage to reputation, many directors and officers have begun to focus on how to best protect their personal assets. For many, this has meant a fresh look at their D&O liability insurance. Although a D&O insurance policy cannot protect against all risks to a director or officer, a comprehensive and properly negotiated D&O policy can help significantly reduce the chance that a director’s or officer’s personal assets could be at risk.

Snow: To what extent is there still a lack of awareness of the risks D&Os face? In your experience, do they fully appreciate the full range of threats in today’s market?

Mebane: Companies’ overall risk profiles and awareness continues to broaden and increase in complexity. Necessarily, it becomes imperative that D&Os stay mindful of the responsibility of serving on a company’s board and complete appropriate due diligence prior to accepting a position. To that end, D&Os must keep well-informed and understand the overall risk landscape of the company, as well as the possible influence international regulations in the various markets have on D&O liability. This assessment ensures that D&Os go into these relationships with ‘eyes wide open’ and have comprehensive knowledge and corresponding protection against the risk of liability.

Flockhart: D&Os do not always fully appreciate the full range of potential liability risks to which they may be exposed. This is particularly so for individuals who hold positions on boards in multiple jurisdictions as the liability landscape and ability to obtain protection via an indemnity or insurance can vary wildly between jurisdictions. Certain jurisdictions are also much more litigious and aggressive than others – such as the US, where class actions and shareholder derivative suits are more commonplace than in the UK. The best way for D&Os to manage the potential risks and liabilities that they and the company which they represent face is to be well-informed as possible. Given the regulatory shift towards accountability of senior executives in other jurisdictions, D&Os should familiarise themselves with the position in all jurisdictions in which the company operates.

Musoff: Directors and officers are generally sophisticated, aware of risks and take their responsibilities very seriously. However, it is often difficult when in the midst of daily business and decision making to recognise all of the risks arising from a particular situation. Establishing a culture of information sharing, relying on outside advisers and open dialogue within the company can serve to create an environment that recognises and addresses risks.

Bentz: In our experience, D&Os generally understand the most significant risks of a lawsuit from their service as a director or officer of a company. However, they tend not to fully understand how protections against the risks work. For example, D&Os generally know to ask whether their company has D&O or cyber insurance and some will even know to ask how much limit they have in the policies. But few know how to determine whether the coverage provided by the policies is in good shape or that it will protect against the biggest risks they face as a director or officer. Instead, they trust that someone else at the company has considered this or they rely on their insurance broker to take care of it. This can be a very risky strategy.

Melides: As far as large, multinational corporates are concerned, I do not believe there is any lack of awareness. In terms of board responsibility, we have seen significant changes in the last five or six years among independent executives and non-executives who are seeking out more technical advice. They want to enhance their knowledge generally and develop a much greater understanding of the kinds of business and activities that the organisations they oversee are entering. And even in some instances, executive and non-executive members have taken it upon themselves to continuously train and keep up to date with changes affecting their responsibilities within the organisation. The threat is greater with small or mid-size companies though. Here, resources can be limited and so can be the knowledge of the boards and executive teams. And unfortunately, for regulators, the lack of awareness or knowledge is no longer an acceptable defence. Nor will regulators go easy on an individual because he or she is not an expert on a particular topic.

Establishing a culture of information sharing, relying on outside advisers and open dialogue within the company can serve to create an environment that recognises and addresses risks.

— Scott D. Musoff

Snow: Have you observed any legal and regulatory changes that could have a significant impact on personal risks to D&Os?

Bentz: Although the Yates Memorandum suggests the DoJ is increasing its focus on individual liability, we have not yet seen a significant increase in personal liability for directors or officers. Notwithstanding, many companies are taking steps now to limit the potential impact of the policy set forth in the Yates Memorandum. For example, many D&Os are being advised to exercise their Fifth Amendment right to remain silent when the DoJ begins an investigation. This can cause a problem with regard to whether they are entitled to have their defence costs advanced under the corporate bylaws. If it is unclear, the DoJ may argue that any advancement is a lack of cooperation. To help avoid this situation, some companies are amending their bylaws to make it clear that the company must advance defence costs even if the director or officer exercises his or her Fifth Amendment rights.

Melides: The introduction of the SMR, which came in force on 7 March 2016, has been an important and noteworthy change in the UK. This new regime, which applies to UK incorporated banks, building societies, credit unions and PRA designated investment firms in the UK, as well as branches of foreign banks, is designed to make senior managers more personally accountable for their firms’ failures. Under this new regime, there is an expectation of an increase in regulatory investigations focusing against individuals and holding them personally accountable. The regulators to the financial services industry, the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) will oversee the new regime. Furthermore, with the FCA’s new rules regarding self-reporting and whistleblowing due to be fully implemented by September 2016, it is also quite likely that we will see a spike in whistleblowing reports to authorities, which eventually can lead to further actions taken against both firms and individuals.

Flockhart: In the UK, the SMR in particular has significantly impacted the personal risks faced by many D&Os in the financial and other regulated industries. Currently, the SMR applies to senior managers in the banking sector but this is due to be extended to insurance and other financial services firms in due course. Intended to promote personal accountability, the SMR requires senior managers to clearly identify areas of the business for which they are responsible and take reasonable steps to prevent any regulatory breaches from occurring in those areas. This so-called ‘duty of responsibility’ prevents senior managers from being able to hide behind the business and makes it necessary to actively demonstrate that they understand their areas of responsibility and are fully aware and in control of regulatory risk and issues relating to these areas. Sanctions for breaches of the regime can involve the imposition of heavy financial penalties, and the costs of obtaining legal representation in dealing with the regulator can be high. Significant personal liability may therefore be incurred. Another potential exposure for D&Os in the banking sector is the new criminal offence of reckless misconduct in the management of a bank which also came into force in March this year. While it seems likely that this offence will only be relevant in the most serious of situations, senior executives should be aware that a conviction could lead to an unlimited fine or a prison sentence.

Musoff: There is a lot of political pressure on regulators to identify and pursue individuals and not just corporations for alleged wrongdoing. Indeed, the DoJ declared a policy shift focusing on individual accountability, including requiring corporations that want to get credit for cooperation to identify individuals responsible for wrongdoing, regardless of their position. In addition, the global reach of corporate conduct now implicates a global set of regulations and laws. Sometimes the reach of any country’s rules and regulations extends well beyond its borders touching upon conduct that at times appears to have a tenuous nexus to the enforcing country. This requires directors and officers to be vigilant in overseeing conduct across the globe and to consider setting uniform standards that govern such conduct even if not necessarily required in the country where such conduct is occurring. This arises, for example, in areas relating to the US Financial Corrupt Practices Act (FCPA) and the UK Bribery Act.

Mebane: The issuance of the Yates Memo in September 2015 may be one of the more recent impactful legal developments that affect D&Os. The crux of the Yates Memo focuses on the prosecution of individuals, including board members, and requires a company under investigation to certify that it fully disclosed all information about individuals involved in the alleged wrongdoing before finalising a settlement agreement. Specifically, the Memo states that before a corporation can receive any cooperation credit, it should divulge all information about individuals involved or aware of the alleged misconduct. Further, guidelines within the Yates Memo state that prosecutors are mandated to outline the intention on prosecuting culpable individuals at the time companies are sanctioned. As a result, corporations will need to assess the potential for conflicts of interest earlier in the investigatory process when determining whether counsel is required for individual employees and D&Os because individual and organisational representation could conflict. D&Os and senior management receive comprehensive education on risks, while extending support of a company’s compliance policies and procedures and strive to ensure that non-compliance is addressed promptly. These proactive steps help mitigate potential exposure and liability that could arise should misconduct be discovered and a regulatory inquiry proceed.

Snow: In your opinion, should D&Os be held personally liable for offences such as bribery, corruption and fraud that occur throughout their organisation?

Musoff: Of course, personal and individual liability would depend on the particular circumstances. But that is often unfair in hindsight to try to hold senior individuals liable for the wrongdoing of others at a corporation. It is simply not realistic to expect directors or senior officers to be aware of what every employee around the world might be doing at any given moment. That is why establishing a strong process, ethical culture and proper tone at the top is important. Also, the potential to unfairly blame individuals when not warranted under the circumstances will only serve to deter qualified people from seeking out and taking director and officer positions.

Bentz: This is a complicated issue. Simply saying that a director should be personally liable for fraud may sound good but the reality is that, legally, some statutes do not really differentiate between fraud and simple negligence. This is even more complicated in countries where you can be criminally liable for simple negligence – for instance, the UK Corporate Manslaughter Act. In fact, many D&O policies make these distinctions in their conduct exclusions for that very reason. For example, at least one insurer only excludes ‘intentional fraud’ or ‘an intentional criminal act’. The insurer further excludes claims that are considered criminal in foreign jurisdictions but are only civil matters in the US. Of course, all of this must be weighed against the company’s ability to attract qualified directors.

Mebane: Anti-corruption compliance will remain a focus for shareholders and regulators. Although D&Os do not have an operational role, but instead an oversight one, they should consider evaluating a number of issues to support a company’s adherence to local and international anticorruption regulations to promote a culture of integrity and minimise individual liability. These include having an appropriate tone at the top, understanding of the outcome and impacts of an anticorruption risk assessment and how those findings impact internal controls and culture throughout an organisation, understanding how robust and risk-relevant the company’s compliance programme and processes are, and receiving an appropriate level of anti-bribery training and communications.

Melides: In today’s economic and regulatory landscape, organisations of various sizes and across different industries are confronted with significant challenges in respect of compliance and governance. As the field of business activity expands globally, operating within and across different jurisdictions with several authorities demanding adherence of an incalculable set of rules, processes and standards, implementing the appropriate compliance frameworks presents an enormous task. Under such an environment, the board of directors has the clear responsibility for ‘setting the tone’ and driving the company’s culture of compliance across all jurisdictions, entities and individuals and balancing that against financial growth and shareholder returns. This is what regulators and other stakeholders expect. Board directors and senior executives hold such positions in order to add value and to lead their organisations. Failing to ‘set the tone’ in compliance should come with the consequences.

Flockhart: Generally speaking, greater personal accountability leads to higher standards and better corporate behaviour, so the regulatory changes are positive in nature overall. D&Os are in a position of trust and responsibility so it is important that they understand the full scale of the obligations and standards that they face. That said, any system of regulation should be realistic in terms of what individuals can do to prevent any legal or regulatory issues occurring in an organisation, particularly in relation to large organisations which are active in many jurisdictions.

This so-called ‘duty of responsibility’ prevents senior managers from being able to hide behind the business and makes it necessary to actively demonstrate that they understand their areas of responsibility and are fully aware and in control of regulatory risk and issues relating to these areas.

— Ffion Flockhart

Snow: Have you observed any recent D&O claims cases in which the outcome proved to be particularly significant? How might the outcome of such cases impact on how D&Os view the risks they face?

Bentz: Some of the more significant, recent cases involve director liability related to data breaches. It is clear that directors have some responsibility to make sure that the company is handling confidential information appropriately. What is less clear is how much directors must do to insulate themselves and their companies from potential liability. As more breaches occur, it is likely that the plaintiffs’ bar will test the limits of how much is enough. If we start to see significant liability attach to these cases, some directors may reconsider whether they should continue on a board. This is especially true if there is no effective way to transfer the risk to an insurance policy.

Flockhart: The recent emergence of cyber risk as a key risk management issue and developments in data privacy law mean that D&Os, as well as companies, will now be held to higher standards than ever in order to protect key information held by the business. With cyber risk management now a critical boardroom concern, D&Os can be exposed to derivative actions from shareholders whose investment may have decreased as a result of a cyber incident. This is well illustrated by recent shareholder derivative suits in the US against the boards of Target, TJ Maxx and Home Depot following their respective high profile data breaches. To minimise the D&O risk as much as possible, boards should have an understanding of the full scale of the cyber risk the company is facing and ensure that adequate cyber security and mitigation measures have been put in place. This will involve working closely with risk managers and IT security officers.

Melides: The D&O claims environment is very dynamic and we constantly observe changes and trends developing. In my view, I do not believe there has been a ‘landmark’ case that I can single out or a case that introduced a new or different risk or exposure that we have not previously observed in the field of D&O insurance. We could consider the RBS right issue ‘class action’, or to use the better term of ‘group litigation order’ for the UK, as something new solely in terms of its size and number of claimants. However, this is not a new type of claim. A rise in shareholder derivative actions has been observed following data breaches of security and privacy, although much of the focus is on the fiduciary duties of directors. From our side, we have observed some developments in international claims, particularly in emerging markets; but we still need some more evidence before we can regard them as significant.

Mebane: There has been an enhanced focus on a corporation’s cyber security risks, and over the course of the previous two years we have seen an increase in cyber breach claims brought against D&Os. Key cases include Target, Wyndham and Home Depot, where plaintiffs alleged that D&Os did not adhere to their fiduciary duties and provide due care by knowingly failing to ensure the appropriate protections were in place for customer personal and financial data. Plaintiffs also asserted that prior data breach cases should provide a basis for companies to ensure the appropriate controls and protections are in place to mitigate this risk in the future. These cases were disruptive and caused reputational harm, but also included another area for regulatory enforcement, thereby expanding a company’s risk exposure and ensuring another risk area that management and D&Os need to be prepared to effectively identify and mitigate.

Musoff: There have been recent cases where courts have held officers and directors potentially responsible for alleged retaliation of whistleblowers under Sarbanes-Oxley. This is just one example of the potential for personal liability and the need to ensure that there is adequate insurance coverage. On the other hand, the increase in securities filings does not mean there has been an increase in the quality of cases being filed. Indeed, there are indications that there may be an inverse relationship as the percentage of dismissals has increased.

Snow: What advice would you give to D&Os in terms of ensuring that they have appropriate levels of D&O insurance coverage in place?

Musoff: The focus on individual accountability and liability has direct implications on insurance coverage and the importance of making sure directors and officers are adequately insured. Directors and officers should routinely monitor and discuss with the company’s insurance broker and others the level of coverage in advance of the time for renewal. It is important to keep in mind that the focus on individual accountability could result in the need for separate counsel under certain circumstances, which could increase the total costs and the need for adequate insurance coverage. In the private equity context, it is important to analyse coverage from both the perspective of the portfolio company of the board on which someone might sit and from the perspective of the private equity firm.

Flockhart: Discussions about the scope and limits of the company’s D&O insurance should be occurring at board level. It is important for management to ensure that key terms and definitions in the policy are kept up to date to reflect any regulatory developments to ensure adequate coverage. For example, the definition of ‘insured person’ may need to be updated to ensure that individuals caught by the SMR are included in the scope of cover. More generally, the higher risk of personal liability imposed on senior managers means that organisations need to ensure that an appropriate level of cover is in place. As there can be a large number of D&Os insured under a policy, the limits of cover available can be quickly eroded by claims. To ensure that senior managers are appropriately covered, we are seeing a number of clients put in place ring-fenced limits for board members and senior managers or entirely separate policies for these individuals.

Melides: Today, D&O insurance is considered a significant component of an insurance programme for large, multinational corporates, as well as for small and medium size enterprises. Furthermore, D&O insurance is viewed as an essential tool of good corporate governance and protection against personal liability. However, D&O insurance is not a ‘one size fits all’ product. The more complex the risk, the more manuscript solutions are needed. Furthermore, unlike other, more traditional types of insurance products, such as property or motor, D&O largely deals with ‘intangible risk’ and thus make it more difficult to quantify. To help their assessment, directors should consider the size of business operation, level of regulatory involvement and impact, geographic footprint and level of complexity in structure and decision making process. In addition, it is critical that directors choose their partners carefully, as having upskilled and specialist brokers and insurers involved will allow choosing the appropriate solution with confidence.

Bentz: There is no foolproof way to determine the ‘perfect’ amount of D&O insurance to purchase for any particular year. That said, there are many factors that can inform insureds as to the proper amount of insurance they need to feel comfortable. Insureds should consider claim studies, benchmarking reports, what amount is necessary to attract strong directors, and what the insured can afford when making its decision about the amount of coverage it needs. When deciding the appropriate limit to purchase, insureds should also remember that defence costs are typically – but not always – included within the limit of liability. Ultimately, insureds have to balance the worst case loss scenario against the cost of buying more insurance. At some point, there will be a balance between cost and risk.

Simply saying that a director should be personally liable for fraud may sound good but the reality is that, legally, some statutes do not really differentiate between fraud and simple negligence.

— Thomas Bentz

Snow: How have D&O insurance policies evolved over the past few years?

Flockhart: The new regulatory climate means that D&Os face the very real prospect of losing their personal assets as a result of regulatory investigations or enforcement action. D&O policies are evolving to cover personal expenses in these circumstances, such as mortgage payments, utility bills and even school fees, which could provide vital support to senior executives and their families. We are also now seeing greater emphasis on the cover available for the costs of dealing with pre-investigation enquiries from regulators. This reflects increased levels of engagement between regulators, companies and D&Os which fall beyond a formal regulatory investigation.

Bentz: One of the most important changes to D&O insurance policies in the last few years is a focus on limiting individual insureds’ potential exposure if their company fails or refuses to advance defence costs. In the past, if a company failed or refused to advance defence costs to a director or officer, the director or officer would have to personally satisfy the applicable retention before any coverage would attach. For many insureds, this could mean serious amounts of money. Some newer policies eliminate this risk by stating that, if the company was permitted by law to advance defence costs but fails or refuses to do so, the insurance company will advance the defence costs to the individual insured within the retention. This is an important benefit in light of the Yates Memorandum’s focus on corporate cooperation and individual liability.

Snow: How can D&Os accurately determine whether or not their insurance coverage is equal to the range of risk scenarios that exist? What are the main aspects D&Os should consider when evaluating the options for liability coverage?

Bentz: Perhaps the most important factor to consider when deciding which D&O policy to purchase is the terms and conditions of the policy itself. Terms and conditions in D&O policies are not standard. An insured who saves a few dollars in premium by selecting an inferior policy will regret their choice. Insureds should also consider the claims handling reputation of their insurers. Different insurers handle claims very differently. For example, some insurers have their own experienced claims staff while others use outside law firms to adjust claims. Another consideration is longevity. Some insurers try to time their entry and exit from particular areas of insurance to coincide with the hard and soft market cycle. While such an insurer may be able to offer lower prices during ‘good times’, it is typically better for an insured to work with an insurer who will remain in the market long term.

Mebane: Because of the heightened regulatory vigilance and enforcement and litigation environment, D&Os can be held individually liable for regulatory violations and insurers may be held responsible for large pay outs. It is important that D&Os re-evaluate existing coverage that could preclude coverage depending on the type of matter that arises for a company.

Flockhart: All businesses should be aware that the D&O risk landscape is constantly shifting, so they should continue to monitor this in all jurisdictions in which they are active. D&Os should be in regular contact with their brokers and lawyers to ensure that the cover they are buying is appropriate for the particular needs of the business. This will include checking that all limits and sub limits are suitable and, if the business is international, it will be vital to ensure that the coverage territory reflects this.

Snow: With regulatory investigations and enforcement action heavily focused on senior management, how can D&Os protect themselves against the costs of fighting an allegation?

Melides: When it comes to facing and fighting against a regulatory investigation and enforcement action, D&Os have two methods to utilise. The first is to be proactive by creating and developing an enterprise risk management framework that becomes the responsibility of the board of directors and is embedded in all operations and functions of the corporation. Under such a framework, senior management should also consider the tools available to protect them against personal liability through corporate bylaws, indemnification provisions or via D&O insurance as a last resort. The second is to be reactive by ensuring that the right mechanisms are in place to manage and control the possible downsides – both financial and non-financial – arising from such an investigation. As far as personal liability is concerned, ensure that a properly designed and implemented D&O programme is in place that ensures not only that the coverage responds but is also available in all jurisdictions, including international locations that do not permit non-admitted insurance.

Mebane: D&Os are responding with an increased focus on enterprise risk management, whereby a company evaluates its ability to identify, treat and monitor a variety of risks that could impact the success of its strategic initiatives. This may include developing an in-house team that is focused on managing the most significant risks for a company – such as a ‘risk centre of excellence’ – or increased training and ‘table top’ exercises that will support and evidence, respectively, a company’s tolerance of and response to potential impacts to its operating environment and strategic goals.

Flockhart: D&Os should obtain an indemnity from the company to the fullest extent permitted by the UK Companies Act 2006, as well as obtaining comprehensive insurance cover. Again, it will be vital for D&Os to ensure that cover is appropriate in terms of limits and scope; cover should be available for all kinds of regulatory investigations as well in relation to formal third-party claims.

Musoff: It is important to contribute to an environment of trust, transparency and an appropriate tone from the top. Having strong processes and internal controls can serve to mitigate the risks of hindsight bias. Process is integral both to good decision-making and to protect directors and officers. And good process should be implemented before any problems or issues arise – it is easier to implement and also sets a standard and benchmark by which conduct could be measured. Establishing a culture of information sharing, relying on outside advisers and open dialogue within the company can serve to create an environment that recognises and addresses risks in an effort to avoid costly problems before they arise. Reliance on outside counsel and advisers can also mitigate such risks and exposures. It is also important for directors and officers to assess the amount of insurance coverage and to analyse the potential exclusions and prior act exceptions.

Bentz: There is no substitute for a strong indemnification provision in the corporate documents and a well negotiated D&O policy. It is surprising how many companies have sub-par indemnification provisions in their bylaws. Several recent cases have made clear that if you have not updated your indemnification provisions lately, you may be at risk in the event of a claim. Similarly, D&O insurance policies need to be negotiated. These policy forms vary significantly from one insurance company to the next. There is sufficient competition in the marketplace that many D&O insurers are willing to consider suggestions and, in varying degrees, to tailor their policies to meet the insureds’ needs by means of endorsements. Too few insureds avail themselves fully of this opportunity, and, as a result, many discover coverage shortfalls only after a claim arises.

There has been an enhanced focus on a corporation’s cyber security risks, and over the course of the previous two years we have seen an increase in cyber breach claims brought against D&Os.

— Adrian Mebane

Snow: Looking ahead, how do you envisage the risks facing D&Os to evolve in the months and years to come? Are they likely to become ever more complex and international in nature?

Mebane: We will likely continue to see a similar trend regarding risks facing D&Os in the future, as companies continue to enter complex regulatory markets and assume the challenges with operating in them. Additionally, US and international regulators will continue to focus on enforcement to deter misconduct, which will likely have an impact on potential trailing civil litigation. D&O claim activity outside of the US may also increase, as countries have been considering revising local regulations that affect and guide the behaviour of D&Os relating to corporate governance. Companies and D&Os must be vigilant and evaluate the international legal requirements and potential impacts on individual liability.

Musoff: The macroeconomic environment and its inherent uncertainties, coupled with the continued political and regulatory pressure to hold individuals accountable, leads me to believe that the risks facing directors and officers will only increase rather than abate. We live in an increasingly global world where the risks facing corporations and those who run them easily cross geopolitical borders. The financial and corporate environments continue to become more complex and international in scope. Thus, operating in such an environment naturally exposes directors and officers to more complex and international risks. In such an environment, it will continue to be important to exercise strong independent judgment and to ensure that proper processes, procedures and controls are in place.

Flockhart: Heightened regulatory scrutiny and a culture of greater individual accountability are here to stay. Regulators in different jurisdictions are now also cooperating with each other, so investigations are likely to become increasingly international in their scope. The changing risk landscape should be constantly monitored and emerging risks such as cyber and privacy should also be borne in mind.

Bentz: We continue to see M&A related litigation as a major risk for companies. M&A deals can trigger significant changes to D&O policies and insurers are constantly looking for ways to address this risk. We also expect cyber to be an evolving area of risk. Some D&O insurers have affirmatively added exclusions for all cyber claims. This should be a significant concern for directors and officers. It is also increasingly important that a D&O form work well with any cyber insurance the company may purchase. Finally, as more countries adopt class action litigation options similar to those in the US, we expect to see the need for more locally admitted insurance.

Melides: Today, the world evolves rapidly across the political, economic, social and technology landscape. In this environment of change, I expect some new risks or threats to affect the role of directors and introduce new responsibilities in areas of risk management, compliance and corporate governance. The impact and importance of regulation is often cited in surveys around the world as the number one risk concern of directors. I do not believe this will change in the foreseeable future. In fact, there are signs that it will become more intense and international in nature judging from recent legislation introduced in Asian and Latin American countries. And in that framework, I believe greater focus should be placed upon individual accountability, thus leading to an increase of D&O litigation. Cyber risk or cyber security is another, possibly hidden concern. Cyber risk is probably the fastest growing emerging risk for organisations today and a key topic of discussion in the boardroom agenda. While we become aware daily of incidents relating to data and security breaches, from a directors’ liability perspective activity is still fairly low, although it is expected to pick up rapidly. Thus, it is impossible to ignore.

Carolyn Snow is immediate past president of the Risk Management Society (RIMS) and director of risk management at Humana Inc. On the RIMS board she has served as liaison to conference planning, marketing and communications, quality and technology. As director of operational and clinical risks at Humana, Ms Snow manages the corporate insurance programme, including Humana’s captive and RMIS system. She can be contacted on +1 (502) 580 3861 or by email: csnow@humana.com.

Adrian Mebane is vice president and deputy general counsel for The Hershey Company. Leading the company’s global Legal Risk Center of Excellence, he is responsible for addressing high impact risks in the global ethics and compliance, regulatory, litigation and intellectual property practice areas. Mr Mebane also works collaboratively with and is a trusted adviser to executive leadership, senior management, the audit and finance & risk management committees and the board of directors. He can be contacted on +1 (717) 534 7673 or by email: amebane@hersheys.com.

Ffion Flockhart is a dispute resolution lawyer and qualified solicitor-advocate. With an insurance law background, she advises clients across a number of industries on the management of key financial risks as well as on the resolution of disputes. She is known in particular for her policy wording work for large corporates and financial institutions, as well as her work on matters involving directors and officers’ (D&O) liability, transaction liability and cyber risk. She can be contacted on +44 (0)20 7444 2545 or by email: ffion.flockhart@nortonrosefulbright.com.

Scott D. Musoff represents financial institutions, corporations, private equity firms and individuals in federal and state trial and appellate courts, as well as in arbitration proceedings. Mr Musoff was profiled as one of the ‘10 Most Admired Securities Attorneys’ by Law360, which also named him as one of its ‘Securities MVPs’ in 2012. He repeatedly has been selected for inclusion in Chambers USA, Legal 500 U.S., and The Best Lawyers in America. He can be contacted on +1 (212) 735 7852 or by email: scott.musoff@skadden.com.

George Melides is the head of management liability for Europe, Middle East and Africa at Zurich Global Corporate EMEA. His areas of expertise include all management liability products (D&O, EPL, crime, pension trustee) and extend to financial institutions and professional indemnity. Mr Melides has over 12 years’ experience in financial lines products for UK and international companies gained through a variety of underwriting and broking roles. He can be contacted on +44 (0)20 7648 3008 or by email: george.melides@zurich.com.